Skillv0.4.1

ClawScan security

WebChat Voice Full Stack · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 20, 2026, 2:01 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The meta-installer's declared purpose (orchestrating three local WebChat voice sub-skills) matches what it does: it verifies script checksums, then runs downstream deploy scripts to create user-level services, inject a UI script, and add a gateway origin — there are no disproportionate credentials, installs, or hidden network sinks in the files shown.
Guidance: This meta-skill appears to do what it says, but it is a coordinator: its security ultimately depends on the three sub-skill deploy scripts it runs. Before deploying: 1) inspect the sub-skill scripts under $WORKSPACE/skills (especially anything that creates services, writes to gateway config, or touches Control UI); 2) run bash scripts/rehash.sh only after you have manually audited those scripts so checksums.sha256 records a trusted baseline (deploy aborts if no checksum file or mismatches are found); 3) back up your gateway/Control UI configuration so you can restore allowedOrigins and remove any injected script; 4) confirm where the STT model will be downloaded from and ensure you have the bandwidth and trust in that host; 5) ensure WORKSPACE and SKILLS_DIR are not pointing at sensitive system locations (no root/sudo is required, but user-scoped changes will be made). Following these steps will minimize the risk of inadvertently running unreviewed code.

Review Dimensions

Purpose & Capability: okThe skill is a meta-installer whose actions (creating user-level systemd services, injecting a UI script, adding a gateway origin, downloading a local STT model) match the description. It does not request unrelated credentials or binaries. The requirement for Python, GStreamer, and an initial Internet connection for model download is consistent with a local STT deployment.
Instruction Scope: noteRuntime instructions stay within the stated scope: verify integrity, ensure sub-skills are present, and invoke their deploy scripts. All filesystem and service changes referenced (user systemd services, Control UI script injection, gateway.allowedOrigins) are relevant to enabling voice input. Important caveat: this meta-skill delegates all substantive work to the sub-skills' deploy scripts, so security depends heavily on those scripts; the meta-skill enforces checksum verification but requires the user to generate or commit the trusted baseline before deployment.
Install Mechanism: okThere is no network-based install spec in this package; it is instruction/script-based and runs local shell scripts. The only network action mentioned is the model download performed by the STT sub-skill on first run (~1.5 GB). No downloads from arbitrary URLs or extraction logic are present in the meta-skill itself.
Credentials: okThe skill requires no credentials or environment secrets. It uses configurable WORKSPACE and SKILLS_DIR paths and optional VOICE_* env overrides; those are reasonable. One operational note: if SKILLS_DIR/WORKSPACE are redirected to sensitive locations (symlinks, shared system dirs), the scripts will act there — verify these paths before running.
Persistence & Privilege: okPersistence is limited to user-scoped systemd services and a single UI injection/allowed-origin change described in the docs. always:false and default autonomous invocation are set. The changes are reversible via uninstall instructions. Updating gateway.allowedOrigins and injecting a script are privileged changes to the local Control UI — expected for this feature but should be reviewed and backed up before applying.